You are viewing the documentation for Blueriq 17. Documentation for other versions is available in our documentation directory.

SubjectJAVA PropertyExplanationTypeDefault
Security
















blueriq.security.click-jacking-protection.enabledTurn clickjack protection on/off. For more information go to Security: Clickjacking protection.
Booleantrue

application.properties

blueriq.security.click-jacking-protection.content-security-policy.default-srcSet the location where content can be loaded from, if no more specific value (for example font for where fonts can be loaded from) is given there is a fallback to this value. For more information see Security: Clickjacking protection.String'self'

application.properties

blueriq.security.click-jacking-protection.content-security-policy.script-srcSet the location where scripts can be loaded from. For more information see Security: Clickjacking protection.String'self'

application.properties

blueriq.security.click-jacking-protection.content-security-policy.style-srcSet the location where stylesheets can be loaded from. For more information see Security: Clickjacking protection.String'self'

application.properties

blueriq.security.click-jacking-protection.content-security-policy.font-srcSet the location where fonts can be loaded from. For more information see Security: Clickjacking protection.String'self'

application.properties

blueriq.security.click-jacking-protection.content-security-policy.img-srcSet the location where images can be loaded from. For more information see Security: Clickjacking protection.String'self'

application.properties

blueriq.security.click-jacking-protection.content-security-policy.frame-ancestors

Set the valid parent hosts that may embed Blueriq using <frame>, <iframe>, <object>, <embed> or <applet>. For more information see Security: Clickjacking protection.

Available since Blueriq 14.4.

Note that Content Security Policy is not supported by Internet Explorer, so this setting will not have an effect on users that still use Internet Explorer.

String'self'

application.properties

blueriq.security.csrf-protection.enabledTurn Cross Site Request Forgery protection on/off. For more information go to Security: Cross-site scripting protection.
Booleantrue

application.properties

blueriq.security.referrer-policy.enabledEnables mechanism of adding Referrer-Policy header to all outgoing requests.
Booleantrue

 application.properties

blueriq.security.referrer-policy.policySet the Referrer-Policy header value different than default.
Stringreferrerorigin

 application.properties

blueriq.security.x-content-type-protection.enabledAdd the X-Content-Type-Options header to responses to protect against MIME type sniffing. For more information go to Security: Content sniffing protection.
Booleantrue

application.properties

blueriq.security.xss-protection.enabledTurn cross site scripting protection protection on/off. For more information go to Security: Cross-site scripting protection.
Booleantrue

application.properties

blueriq.security.xss-protection.header.enabledTurn the X-XSS-Protection HTTP header on/off.Booleantrue

application.properties

blueriq.security.xss-protection.request-body-validation.enabledEnable the X-XSS-Protection on request body.Booleantrue

application.properties

blueriq.security.xss-protection.request-parameter-validation.enabledEnable the X-XSS-Protection on request parameters.Booleantrue

application.properties

blueriq.security.xss-protection.request-url-validation.enabledEnable the X-XSS-Protection on request url.Booleantrue

application.properties

blueriq.security.xss-protection.multipart-request-validation.enabledEnable the X-XSS-Protection on multipart request.Booleantrue

application.properties

blueriq.security.xss-protection.blacklist.enabledTurn the XSS blacklist on/off.

Boolean

true

application.properties

blueriq.security.xss-protection.whitelist.enabledTurn the XSS whitelist on/off.Booleantrue

application.properties

blueriq.security.xss-protection.whitelist.allowed-protocols

Set the whitelisted protocols in URI attributes.

Example value: 'http,https,mailto'

Comma separated stringempty

application.properties

blueriq.security.xss-protection.whitelist.allowed-tags

Set the whitelisted HTML tags.

Example value: 'b,img'

Comma separated stringempty

application.properties

blueriq.security.xss-protection.whitelist.allowed-global-attributes

Set the whitelisted attributes allowed on any whitelisted HTML tag.

Example value: 'class,title'

Comma separated stringempty

application.properties

blueriq.security.xss-protection.whitelist.allowed-attributes.<tag>

Set the whitelist attributes allowed on a specific whitelisted HTML tag.

Example key: 'blueriq.security.xss-protection.whitelist.allowed-attributes.h1'

Example value: 'class'

Key: string

Value: comma separated string

empty

application.properties

blueriq.security.xss-protection.whitelist.uri-attributes.<tag>=<attr1>,<attr2>Mark which attributes are URI attributes and are subject to the allowed protocols rule. In Java, URI attributes can be defined per tag. In .NET, URI attributes can be defined only globally.

Key: string

Value: comma separated string

empty

application.properties

blueriq.security.xss-protection.whitelist.max-loop-countDefine a limit on the number of sanitization iterations.Integer5

application.properties

blueriq.security.xxe-protection.enabledEnable XML External Entity (XXE) protection.Booleantrue

application.properties

blueriq.security.xxe-protection.disallow-doctype-decl

Disallow doctype declaration processing in XML-files.

Protection is enabled when set to: true.

Booleantrue

application.properties

blueriq.security.xxe-protection.load-external-dtd

Enable loading external DTDs in XML-files.

Protection is enabled when set to: false.

Booleanfalse

application.properties

blueriq.security.xxe-protection.external-general-entities

Enable processing external general entities in XML-files.

Protection is enabled when set to: false.

Booleanfalse

application.properties

blueriq.security.xxe-protection.external-parameter-entities

Enable processing external parameter entities in XML-files.

Protection is enabled when set to: false.

Booleanfalse

application.properties

blueriq.security.xxe-protection.xinclude-aware

Enable processing of XML Inclusions (XInclude) in XML-files.

Protection is enabled when set to: false.

Booleanfalse

application.properties

blueriq.security.xxe-protection.expand-entity-references

Enable expansion of entity references in XML-files.

Protection is enabled when set to: false.

Booleanfalse

application.properties

blueriq.security.http.restricted-methods

Specify the methods that should not be allowed while doing HTTP calls. For more information go to Security: Block HTTP Methods.

Example value: 'head,get,post,options'

Comma separated stringempty

application.properties

blueriq.security.http.runtime.enabled

This property if true enables the default secured access to the runtime interactions.

Booleantrue

application.properties

blueriq.security.login-type

Defines the login type used in Blueriq.

If openid-connect is chosen, openid-connect properties have to be defined as well.

One of:

  • 'form-login'
  • 'openid-connect'
  • 'jwt'
'form-login'

application.properties

blueriq.security.redirect-url-whitelist

Define a whitelist of URLs where the user can be redirected to. If the redirect_uri (for OpenIdConnect login/logout) or the error-redirect (for render document/page and file download) are not in this list, the Runtime will return 400. This list is case sensitive.

If the list is empty, any URL is accepted up to version 14.x. From 15.0 onwards, no URLs are accepted when an empty list is provided.

Comma separated listempty

application.properties

blueriq.security.keystore.locationThe path to the keystore file to be used as repository for security certificates.

Spring Resource

empty

application.properties

blueriq.security.keystore.passwordThe password of the keystore.Stringempty

application.properties

blueriq.security.keystore.default-certificateDefault certificate used to verify signatures when no KeyInfo is provided in the request.Stringempty
blueriq.security.truststore.location

The path to the trust store containing the public keys/certificates of external hosts that should be trusted.

This indicates the trust store that is used for the Soap Service Client.

Spring Resource

empty

application.properties

blueriq.security.truststore.passwordThe password for the truststore file.Stringempty

application.properties

blueriq.security.truststore.default-certificateDefault certificate used to verify signatures when no KeyInfo is provided in the request.Stringempty
blueriq.security.bcrypt-strength

Define the BCrypt strength for password hashing. BCrypt is the default encoder in Blueriq.

Applicable values: number between 4-30 

Performance impact

The higher the number the higher the hashing complexity but also the work to calculate the hash. Each increment is twice as much work. 

Introduced in version 12.13.

Integer10

application.properties

blueriq.security.session-fixation-protection.enabled

Turn session fixation on/off. For more information, see Security: Session Fixation protection.

Introduced in versions 14.11, 13.13.18 and 12.13.39.

Booleantrue

application.properties

blueriq.security.cors.enabled

Enable response headers related to Cross-Origin Resource Sharing.

When disabled, the Same-origin policy implemented in web browsers does not allow scripts with a different origin to call Runtime endpoints. This is the secure default.

Booleanfalse

application.properties

blueriq.security.cors.allowed-originsSpecify origins for the Access-Control-Allow-Origin response header.Comma separated stringempty

application.properties

blueriq.security.cors.allowed-methodsSpecify methods for the Access-Control-Allow-Methods response header.Comma separated stringempty

application.properties

blueriq.security.cors.allowed-headersSpecify headers for the Access-Control-Allow-Headers response header.Comma separated stringempty

application.properties

blueriq.security.cookie-same-site.enabled

Turn on the same site attribute for the cookies in blueriq.  for more information see: Security: SameSite.

Introduced in version 15.0.

Booleantrue

application.properties

blueriq.security.cookie-same-site.value

Define the value for the same site attribute for the cookies in blueriq. for more information see: Security: SameSite.

Introduced in version 15.0.

String'strict'

application.properties